#TomV

👋 happy to help

I'm not familiar with PSD2 would you mind elaborating?

Hey, taking over here. There's no specific regulation re: expiration of off-session 3DS/auth of cards. See: https://www.eba.europa.eu/single-rule-book-qa/-/qna/view/publicId/2018_4031#:~:text=Are card payments,RTS SCA requirements%3F

Ultimately the decision to considering a MIT out of SCA scope resides with the issuer/bank. It may well be that a cardholder's bank requires auth for SCA even when the MIT is related to a previous, valid mandate

So to answer your original Q: no, cards saved/auth'd via s_f_u don't expire after 90 days

Your integration should be designed to handle instances where authentication is requested for any off-session payments, regardless of timeframe

Hope this helps!